Server Security: Keeping Your Data Safe

Wednesday Apr 25th 2001 by ServerWatch Staff

Share:

By Karl Magsig There are different ways to secure data while it is in storage on your servers. In this case, the security of your data means not only its sanctity -- keeping unwanted people from seeing or accessing it -- but also the integrity of it, ensuring that important information is not destroyed by viruses or lost through a hard drive crash.

By Karl Magsig

There are different ways to secure data while it is in storage on your servers. In this case, the security of your data means not only its sanctity -- keeping unwanted people from seeing or accessing it -- but also the integrity of it, ensuring that important information is not destroyed by viruses or lost through a hard drive crash.

The best and easiest way to keep data safe from the prying eyes of others is through user accounts and access rights. In most client-server networks, users must "log on" to the central servers, identifying themselves to it. They are then given access to specific sections of the data stored there. This is the first line of defense when it comes to securing data. By using accounts and passwords, the sys admin controls who has access to the information on the server and how much of that data they have access to.

Through either malicious intent or carelessness, people who should not have passwords can obtain them. It is always a good idea to change everyones' passwords on a regular basis. While this can be a major undertaking if you have numerous users, it can also save a lot of trouble. It is also important to take the time to ensure that your users know how and why to keep their passwords private. If someone is not aware of the risks involved, he will be more likely to leave a sticky note with the password written on it on his monitor (just so he won't forget). Taking time to educate your users can go a long way toward increasing network security

By Karl Magsig

When first installed and configured, PGP creates a key-pair using a specified passphrase. As the name implies, this key-pair is made up of two keys, one private and one public. You then share the public portion of your key-pair with others whom you allow to decrypt your messages.

The retail version of PGP also comes with a feature called PGP Disk. This feature allows you to create a folder on your hard drive, store and access data in it as normal, then when you are finished with it, encrypt the folder and all of its contents. Once it's been encrypted, the folder appears to the operating system as a file. The only way to gain access again is to "mount" it through PGP and enter your secret passphrase. Once PGP accepts your passphrase, it decrypts the folder and all of its contents, allowing you access to it as if it were a normal folder on your hard drive.

Other methods of data encryption are available, but PGP is the most widely used and recognized as well as the industry leader.

In this scenario, the transmission itself is not secure; it is still susceptible to being intercepted. If it is intercepted though, the data itself is completely illegible. Multiple public keys can be used to encrypt a single document; multiple recipients can decrypt the information as long as they have one of the appropriate private keys and the correct pass phrase. For more information on PGP security, visit the PGP security web site at http://www.pgp.com.

By Karl Magsig

Where it is not possible to run a dedicated gateway server, a firewall is required. There are two basic options available; a hardware firewall or a software firewall. A hardware firewall is physical equipment that stands between the local network and the Internet, and blocks all incoming or outgoing connections unless it is specifically configured to allow them. Vendors that offer good firewall hardware are BorderWare, found at http://www.borderware.com and Cisco, http://www.cisco.com/warp/public/cc/pd/fw/sqfw500/.

Hardware firewalls are perhaps the most secure firewall solution since they are dedicated to the task of protecting the network. If a hacker were able to actually connect to the corporate firewall device, there would be no important data stored there, and thus they probably would not be able to do much irreversible damage.

By Karl Magsig

Another good software firewall is Privacy Ware's Privatefirewall. Both of these products offer complete firewall security for the computer actually connected to the Internet. However, they may be better suited for a stand-alone installation, as they don't actually provide Internet connectivity; they simply secure an existing connection.

For a complete software solution, enterprises should look at a software router/gateway with a built-in firewall. Of these solutions, WinGate Pro, from Deerfield.com (http://www.deerfield.com), offers a well-designed, easy-to-use, feature-rich user interface. When coupled with its ENS plug-in (which includes a NAT engine), it can provide not only a gateway to connect an entire network to the Internet through one Internet connection, but also complete, configurable firewall protection for an entire LAN, including the WinGate server itself. WinGate Pro offers the flexibility to open ports so Internet servers can run on the WinGate server machine, allowing connection to it from the Internet. You can also redirect specific ports, or ranges of ports, to internal computers running servers and run a Web server on a computer behind the firewall.

Another good example of a software firewall and gateway is SyGate from Sybergen (http://www.sybergen.com). This software solution provides a feature set comparable to WinGate Pro with ENS, although it offers fewer options in user configurability. Either product can be quickly and easily employed to provide Internet connectivity and firewall security to the network.

By Karl Magsig

Tape backup units are not the only solution for backing up data. CD writeable and re-writeable drives are available for use as backup devices as well. In general, CDs are faster than tape backup drives, but they normally cannot hold as much data as a tape can. CDRs (writeable CDs) are also one-time-use devices, a CDRW (CD re-writeable) drive is needed to reuse CD media.

Another popular method of backing up data is "mirroring" the hard drive. This is done by installing a second hard drive of equal or greater capacity to the original and, through the use of special software, creating a mirror image of the original. This way, if a hard drive fails for some reason, there is an exact copy of all of the data. In these cases, it is a simple task to switch the secondary hard drive to the primary and keep running as if nothing happened.

Computer hardware manufacturers have also created a redundant hard drive system called a "RAID array." In such a configuration, data is spanned across several separate hard drives running in the server, with each hard drive storing only a portion of the data. If one of the hard drives should fail, the remaining drives have enough information stored on them to piece together and replace the data that was lost when the other drive went down (there are normally four or more drives in a RAID configuration.) In this way, server operation and data access is not interrupted. If they are interrupted, it is only briefly, while the remaining hard drives pick up the slack and rebuild the missing data. Then, as soon as possible, the server is taken down, and the bad hard drive is replaced. When the server comes back up, the remaining hard drives use the data stored on them to load the information onto the new drive.

By Karl Magsig

Computer viruses are spread two basic ways. One is via e-mail, sending and receiving e-mail with infected attachments, and the other is by transmitting infected files, either by downloading infected files from the Internet or by copying files from an infected computer onto a clean one. (This can happen in any file-copy scenario, e.g., from floppy disks to shared network resources.)

When a virus is transmitted via e-mail, it comes in the form of an attachment to an e-mail message, normally from a known colleague, someone who would have you listed in her address book. These e-mail viruses will generally send themselves to everyone listed in the infected computer's address book (the address book of the default e-mail client program). The e-mail client does need to be running for this to happen, but in most all cases it is, since this is how the virus was received in the first place. Some of them will automatically run when they are received in specific e-mail clients. These attachments usually come in the form of a VisualBasic Script, which most Microsoft e-mail clients are configured to run automatically when the message is opened. Thus, you don't have to double-click the e-mail attachment to infect your computer with the virus.

What can be done about this, short of deleting all e-mail attachments? You can run an e-mail virus scanner.

By Karl Magsig

Another good e-mail virus scanner is Norton Anti-Virus 2001 from Symantec. Norton AV 2001 pulls down incoming e-mail and scans it before sending the message on to the client that made the request. In this way, it acts as a sort of mini-mail server. Norton AV will also automatically update its virus database to provide protection for the latest viruses. These updates do, however, come at a price. There is a subscription fee, normally on a monthly or yearly basis, to allow an enterprise to download the latest antivirus data. If a subscription is stopped, in most cases, the antivirus software will continue to scan. However, it will not update itself to include the latest viruses, so some newer viruses may get past the scanner.

In addition to e-mail scanning, Norton Anti-Virus also provides protection for files downloaded, copied to, or stored on the hard drive. It can be configured to run whenever the computer is booted, scanning the hard drive during boot up, then running in the system tray, monitoring the system for any signs of infection. It will then alert the system user to the problem and give them the option of quarantining it or deleting it. When a virus is deleted or quarantined, the entire file is effected, not just the virus. Therefore, if any important data files get infected, they will most likely end up lost or restored to an earlier backup once the virus has been wiped out.

By Karl Magsig

Methods are also available to secure the actual transmission channel. Most of these methods can be grouped under the heading of a virtual private network (VPN). A VPN is a secure transmission "tunnel" set up between server and client computers. A VPN acts as a private LAN but uses public transmission routes (i.e., the Internet). VPNs use two basic connectivity models.

One, called Layer 2 Tunneling Protocol (L2TP), creates a "tunnel" on the intranetwork it's connecting across, relying on user authentication at both ends (an L2TP server listens on a specific port, when a client requests a connection on that port, it must provide a recognized username and password before data transmission actually begins.)

The other model is Layer 3 Tunneling Protocol (L3TP), which assumes the two communicating devices "know" each other before establishing the connection.

Microsoft's Point-to-Point Tunneling Protocol (PPTP), is a good example of L2TP. When a PPTP connection is initiated from a client to a VPN server, the client must first authenticate to the server, the same as a workstation does when it logs in to a server on a LAN. Once authenticated, the client then encrypts its data and sends it to the server, which decrypts it and vice-versa.

IPSec (IP security) is an example of an L3TP. In Layer 3, the authentication is handled outside the VPN connection. A good example of an IPSec connection is PGP's built-in VPN client/server. The initial connection authentication is handled via PGP's key-pair. The initiating client enters the passphrase used to sign the PGP key being used for the VPN connection. Once the passphrase is authenticated on the VPN server, encrypted data communication begins.

This is just a very brief overview of VPN connections. An in-depth look at VPN and its associated protocols is beyond the scope of this document. For more information on VPN, PPTP and IPSec, check out the VPN information located on Microsoft's MS Developer's Network site, http://msdn.microsoft.com. A search on VPN will bring up lots of very good, thorough information on the subject.

By Karl Magsig

This is a very rudimentary view of the encrypted mapping proxy method. For more information on how this is used and implemented, check out the Help file included with WinGate, or consult the WinGate help desk at: http://wingate.deerfield.com/helpdesk

This tutorial barely scratches the surface of network security, both from the hardware and the data sides. There is much more information available on the Internet about network and data security. Anyone connected to the Internet is strongly encouraged to research this topic further, especially if the connection is used for business or financial purposes. As the world moves further and further into the electronic information age, security is becoming a bigger priority for everyone. From limiting access to physical servers, to keeping unwanted, prying eyes, out of your data, network security is becoming something with which even the average home user must be familiar.